From 37c148e7da8d3bd8d7f5b987a93547a43cf53c42 Mon Sep 17 00:00:00 2001 From: Raphael Groner Date: Jun 04 2017 19:34:44 +0000 Subject: fix FTBFS, rhbz#1384023, modernized --- diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch index b55dbff..c089d7f 100644 --- a/ecryptfs-utils-75-werror.patch +++ b/ecryptfs-utils-75-werror.patch @@ -24,17 +24,18 @@ diff -up ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror return rc; } -@@ -358,14 +357,14 @@ static int ecryptfs_pkcs11h_get_key_sig( - data[i++] = '\02'; +@@ -379,15 +379,15 @@ static int ecryptfs_pkcs11h_get_key_sig( data[i++] = (char)(nbits >> 8); data[i++] = (char)nbits; -- BN_bn2bin(rsa->n, &(data[i])); -+ BN_bn2bin(rsa->n, (unsigned char *)&(data[i])); + RSA_get0_key(rsa, &rsa_n, NULL, NULL); +- BN_bn2bin(rsa_n, &(data[i])); ++ BN_bn2bin(rsa_n, (unsigned char *)&(data[i])); i += nbytes; data[i++] = (char)(ebits >> 8); data[i++] = (char)ebits; -- BN_bn2bin(rsa->e, &(data[i])); -+ BN_bn2bin(rsa->e, (unsigned char *)&(data[i])); + RSA_get0_key(rsa, NULL, &rsa_e, NULL); +- BN_bn2bin(rsa_e, &(data[i])); ++ BN_bn2bin(rsa_e, (unsigned char *)&(data[i])); i += ebytes; - SHA1(data, len + 3, hash); - to_hex(sig, hash, ECRYPTFS_SIG_SIZE); diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch index be563bc..0ead855 100644 --- a/ecryptfs-utils-87-syslog.patch +++ b/ecryptfs-utils-87-syslog.patch @@ -10,359 +10,3 @@ diff -up ecryptfs-utils-108/src/include/ecryptfs.h.syslog ecryptfs-utils-108/src #define ECRYPTFS_MAX_NUM_CIPHERS 64 #define ECRYPTFS_ECHO_ON 1 -diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2015-08-11 14:44:02.640814023 +0200 -+++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:44:02.643814015 +0200 -@@ -93,7 +93,7 @@ static int wrap_passphrase_if_necessary( - - rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); - if (rc == -1) { -- syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); - return -ENOMEM; - } - /* If /dev/shm/.ecryptfs-$USER exists and owned by the user -@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( - passphrase != NULL && *passphrase != '\0' && - username != NULL && *username != '\0') { - if ((rc = setuid(uid))<0 || ((rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename)) != 0)) { -- syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc); - } - return rc; - } -@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - struct ecryptfs_pam_data *epd; - - if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { -- syslog(LOG_ERR,"Memory allocation failed"); -+ ecryptfs_syslog(LOG_ERR,"Memory allocation failed"); - rc = -ENOMEM; - goto out; - } -@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - } else rc = errno; - } - if (!epd->homedir) { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); - goto out; - } - -@@ -176,7 +176,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - goto out; - private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); - if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { -- syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, epd->homedir); -+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, epd->homedir); - /* If private/home is already mounted, then we can skip - costly loading of keys */ - goto out; -@@ -186,7 +186,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - else - rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); - if (rc != PAM_SUCCESS) { -- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", - rc); - goto out; - } -@@ -198,7 +198,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); - epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); - if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { -- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); -+ ecryptfs_syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); - goto out; - } - -@@ -222,12 +222,12 @@ static struct passwd *fetch_pwd(pam_hand - - rc = pam_get_user(pamh, &username, NULL); - if (rc != PAM_SUCCESS || username == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); - return NULL; - } - pwd = getpwnam(username); - if (pwd == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); - return NULL; - } - return pwd; -@@ -258,13 +258,13 @@ static int private_dir(pam_handle_t *pam - if ( - (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) - || autofile == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for autofile name"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for autofile name"); - return 1; - } - if ( - (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, - PRIVATE_DIR) < 0) || sigfile == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for sigfile name"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for sigfile name"); - return 1; - } - if (stat(sigfile, &s) != 0) { -@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam - goto out; - } - if ((pid = fork()) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: Error setting up private mount"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error setting up private mount"); - return 1; - } - if (pid == 0) { -@@ -284,7 +284,7 @@ static int private_dir(pam_handle_t *pam - if ((asprintf(&recorded, - "%s/.ecryptfs/.wrapped-passphrase.recorded", - pwd->pw_dir) < 0) || recorded == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); - _exit(255); - } - if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { -@@ -297,12 +297,12 @@ static int private_dir(pam_handle_t *pam - } - if (stat(autofile, &s) != 0) { - /* User does not want to auto-mount */ -- syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); -+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); - _exit(0); - } - clearenv(); - if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -- syslog(LOG_ERR, "Unable to set user's groups : %m"); -+ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(-1); - } - /* run mount.ecryptfs_private as the user */ -@@ -310,16 +310,16 @@ static int private_dir(pam_handle_t *pam - _exit(-1); - execl("/sbin/mount.ecryptfs_private", - "mount.ecryptfs_private", NULL); -- syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); -+ ecryptfs_syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); - } else { - if (stat(autofile, &s) != 0) { - /* User does not want to auto-unmount */ -- syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); -+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); - _exit(0); - } - clearenv(); - if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -- syslog(LOG_ERR, "Unable to set user's groups : %m"); -+ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(-1); - } - /* run umount.ecryptfs_private as the user */ -@@ -327,7 +327,7 @@ static int private_dir(pam_handle_t *pam - _exit(-1); - execl("/sbin/umount.ecryptfs_private", - "umount.ecryptfs_private", "-d", NULL); -- syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); -+ ecryptfs_syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); - _exit(1); - } - _exit(1); -@@ -362,24 +362,24 @@ static int fill_keyring(pam_handle_t *pa - - if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) - { -- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); -+ ecryptfs_syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); - return -EINVAL; - } - - oeuid = geteuid(); - oegid = getegid(); - if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); - goto outnouid; - } - - if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); - goto out; - } - - if (!auth_tok_sig) { -- syslog(LOG_ERR, "Out of memory\n"); -+ ecryptfs_syslog(LOG_ERR, "Out of memory\n"); - return -ENOMEM; - } - -@@ -387,7 +387,7 @@ static int fill_keyring(pam_handle_t *pa - /* temp regain uid 0 to drop privs */ - if (seteuid(oeuid) < 0) - { -- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); - goto out_child; - } - /* setgroups() already called */ -@@ -395,12 +395,12 @@ static int fill_keyring(pam_handle_t *pa - goto out_child; - - if (epd->passphrase == NULL) { -- syslog(LOG_ERR, "NULL passphrase; aborting\n"); -+ ecryptfs_syslog(LOG_ERR, "NULL passphrase; aborting\n"); - rc = -EINVAL; - goto out_child; - } - if ((rc = ecryptfs_validate_keyring())) { -- syslog(LOG_WARNING, -+ ecryptfs_syslog(LOG_WARNING, - "Cannot validate keyring integrity\n"); - } - rc = 0; -@@ -412,18 +412,18 @@ static int fill_keyring(pam_handle_t *pa - epd->homedir, - ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); - if (rc == -1) { -- syslog(LOG_ERR, "Unable to allocate memory\n"); -+ ecryptfs_syslog(LOG_ERR, "Unable to allocate memory\n"); - rc = -ENOMEM; - goto out_child; - } - if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { -- syslog(LOG_INFO, "Passphrase file wrapped"); -+ ecryptfs_syslog(LOG_INFO, "Passphrase file wrapped"); - } else { - goto out_child; - } - if (rewrap_passphrase_if_necessary(wrapped_pw_filename, epd->passphrase, epd->salt)) { - /* Non fatal condition. Log a warning. */ -- syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); -+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); - } - rc = ecryptfs_insert_wrapped_passphrase_into_keyring( - auth_tok_sig, wrapped_pw_filename, epd->passphrase, -@@ -437,7 +437,7 @@ static int fill_keyring(pam_handle_t *pa - goto out_child; - } - if (rc) { -- syslog(LOG_ERR, "Error adding passphrase key token to " -+ ecryptfs_syslog(LOG_ERR, "Error adding passphrase key token to " - "user session keyring; rc = [%d]\n", rc); - goto out_child; - } -@@ -447,7 +447,7 @@ out_child: - } - tmp_pid = waitpid(child_pid, NULL, 0); - if (tmp_pid == -1) -- syslog(LOG_WARNING, -+ ecryptfs_syslog(LOG_WARNING, - "waitpid() returned with error condition\n"); - out: - rc = seteuid(oeuid); -@@ -506,33 +506,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - homedir = pwd->pw_dir; - } - } else { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc); - goto out; - } - - oeuid = geteuid(); - oegid = getegid(); - if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); - goto outnouid; - } - - if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); - goto out; - } - - if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK, - (const void **)&old_passphrase)) - != PAM_SUCCESS) { -- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc); - goto out; - } - /* On the first pass, do nothing except check that we have a password */ - if ((flags & PAM_PRELIM_CHECK)) { - if (!old_passphrase) - { -- syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n"); -+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n"); - rc = PAM_AUTHTOK_RECOVER_ERR; - } - goto out; -@@ -540,13 +540,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - if ((rc = pam_get_item(pamh, PAM_AUTHTOK, - (const void **)&new_passphrase)) - != PAM_SUCCESS) { -- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc); - goto out; - } - if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir, - ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME)) - == -1) { -- syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); - rc = -ENOMEM; - goto out; - } -@@ -556,13 +556,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); - } - if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) { -- syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); -+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); - } else { - goto out; - } - - if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') { -- syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); -+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); - rc = PAM_AUTHTOK_RECOVER_ERR; - goto out; - } -@@ -572,7 +572,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - - /* temp regain uid 0 to drop privs */ - if (seteuid(oeuid) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); - goto out_child; - } - /* setgroups() already called */ -@@ -582,20 +582,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - if ((rc = ecryptfs_unwrap_passphrase(passphrase, - wrapped_pw_filename, - old_passphrase, salt))) { -- syslog(LOG_ERR, "pam_ecryptfs: Error attempting to unwrap passphrase; rc = [%d]\n", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error attempting to unwrap passphrase; rc = [%d]\n", rc); - goto out_child; - } - if ((rc = ecryptfs_wrap_passphrase(wrapped_pw_filename, - new_passphrase, salt, - passphrase))) { -- syslog(LOG_ERR, "pam_ecryptfs: Error attempting to wrap passphrase; rc = [%d]", rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error attempting to wrap passphrase; rc = [%d]", rc); - goto out_child; - } - out_child: - _exit(0); - } - if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) -- syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); -+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); - free(wrapped_pw_filename); - out: - diff --git a/ecryptfs-utils-openssl11.patch b/ecryptfs-utils-openssl11.patch new file mode 100644 index 0000000..b5ff7b6 --- /dev/null +++ b/ecryptfs-utils-openssl11.patch @@ -0,0 +1,166 @@ +=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c' +--- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000 ++++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000 +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -55,6 +56,19 @@ + char *passphrase; + }; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++static void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++#endif ++ + static void + ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data) + { +@@ -142,6 +156,7 @@ + { + int len, nbits, ebits, i; + int nbytes, ebytes; ++ const BIGNUM *key_n, *key_e; + unsigned char *hash; + unsigned char *data = NULL; + int rc = 0; +@@ -152,11 +167,13 @@ + rc = -ENOMEM; + goto out; + } +- nbits = BN_num_bits(key->n); ++ RSA_get0_key(key, &key_n, NULL, NULL); ++ nbits = BN_num_bits(key_n); + nbytes = nbits / 8; + if (nbits % 8) + nbytes++; +- ebits = BN_num_bits(key->e); ++ RSA_get0_key(key, NULL, &key_e, NULL); ++ ebits = BN_num_bits(key_e); + ebytes = ebits / 8; + if (ebits % 8) + ebytes++; +@@ -179,11 +196,13 @@ + data[i++] = '\02'; + data[i++] = (nbits >> 8); + data[i++] = nbits; +- BN_bn2bin(key->n, &(data[i])); ++ RSA_get0_key(key, &key_n, NULL, NULL); ++ BN_bn2bin(key_n, &(data[i])); + i += nbytes; + data[i++] = (ebits >> 8); + data[i++] = ebits; +- BN_bn2bin(key->e, &(data[i])); ++ RSA_get0_key(key, NULL, &key_e, NULL); ++ BN_bn2bin(key_e, &(data[i])); + i += ebytes; + SHA1(data, len + 3, hash); + to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE); +@@ -278,7 +297,9 @@ + BIO *in = NULL; + int rc; + ++ #if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++ #endif + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + ENGINE_load_builtin_engines(); + +=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c' +--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000 ++++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000 +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -77,6 +78,19 @@ + typedef const unsigned char *__pkcs11_openssl_d2i_t; + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++static void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++#endif ++ + /** + * ecryptfs_pkcs11h_deserialize + * @pkcs11h_data: The deserialized version of the key module data; +@@ -282,7 +296,11 @@ + goto out; + } + ++ #if OPENSSL_VERSION_NUMBER < 0x10100000L + if (pubkey->type != EVP_PKEY_RSA) { ++ #else ++ if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) { ++ #endif + syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm"); + rc = -EIO; + goto out; +@@ -318,6 +336,7 @@ + int nbytes, ebytes; + char *hash = NULL; + char *data = NULL; ++ const BIGNUM *rsa_n, *rsa_e; + int rc; + + if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) { +@@ -331,11 +350,13 @@ + rc = -ENOMEM; + goto out; + } +- nbits = BN_num_bits(rsa->n); ++ RSA_get0_key(rsa, &rsa_n, NULL, NULL); ++ nbits = BN_num_bits(rsa_n); + nbytes = nbits / 8; + if (nbits % 8) + nbytes++; +- ebits = BN_num_bits(rsa->e); ++ RSA_get0_key(rsa, NULL, &rsa_e, NULL); ++ ebits = BN_num_bits(rsa_e); + ebytes = ebits / 8; + if (ebits % 8) + ebytes++; +@@ -358,11 +379,13 @@ + data[i++] = '\02'; + data[i++] = (char)(nbits >> 8); + data[i++] = (char)nbits; +- BN_bn2bin(rsa->n, &(data[i])); ++ RSA_get0_key(rsa, &rsa_n, NULL, NULL); ++ BN_bn2bin(rsa_n, &(data[i])); + i += nbytes; + data[i++] = (char)(ebits >> 8); + data[i++] = (char)ebits; +- BN_bn2bin(rsa->e, &(data[i])); ++ RSA_get0_key(rsa, NULL, &rsa_e, NULL); ++ BN_bn2bin(rsa_e, &(data[i])); + i += ebytes; + SHA1(data, len + 3, hash); + to_hex(sig, hash, ECRYPTFS_SIG_SIZE); + diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 7c30d80..0adf55f 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -5,72 +5,74 @@ Name: ecryptfs-utils Version: 111 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The eCryptfs mount helper and support libraries -Group: System Environment/Base License: GPLv2+ URL: https://launchpad.net/ecryptfs + Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/%{name}_%{version}.orig.tar.gz Source1: ecryptfs-mount-private.png +### upstream patches +# rhbz#1384023, openssl 1.1.x +Patch1: https://code.launchpad.net/~jelle-vdwaa/ecryptfs/ecryptfs/+merge/319746/+preview-diff/792383/+files/preview.diff#/%{name}-openssl11.patch + +### downstream patches # rhbz#500829, do not use ubuntu/debian only service -Patch2: ecryptfs-utils-75-nocryptdisks.patch +Patch92: %{name}-75-nocryptdisks.patch # rhbz#553629, fix usage of salt together with file_passwd -Patch3: ecryptfs-utils-83-fixsalt.patch +Patch93: %{name}-83-fixsalt.patch # fedora/rhel specific, rhbz#486139, remove nss dependency from umount.ecryptfs -Patch4: ecryptfs-utils-83-splitnss.patch +Patch94: %{name}-83-splitnss.patch # rhbz#664474, fix unsigned < 0 test -Patch5: ecryptfs-utils-84-fixsigness.patch +Patch95: %{name}-84-fixsigness.patch # fix man pages -Patch8: ecryptfs-utils-86-manpage.patch +Patch98: %{name}-86-manpage.patch # autoload ecryptfs module in ecryptfs-setup-private when needed, rhbz#707608 -Patch9: ecryptfs-utils-87-autoload.patch +Patch99: %{name}-87-autoload.patch # fedora/rhel specific, check for pam ecryptfs module before home migration -Patch11: ecryptfs-utils-87-authconfig.patch - -# memcpy can't be used on overlaping areas -Patch12: ecryptfs-utils-87-memcpyfix.patch - -# allow building with -Werror -Patch999: ecryptfs-utils-75-werror.patch +Patch911: %{name}-87-authconfig.patch # using return after fork() in pam module has some nasty side effects, rhbz#722445 -Patch14: ecryptfs-utils-87-fixpamfork.patch +Patch914: %{name}-87-fixpamfork.patch # we need gid==ecryptfs in pam module before mount.ecryptfs_private execution -Patch15: ecryptfs-utils-87-fixexecgid.patch +Patch915: %{name}-87-fixexecgid.patch # do not use zombie process, it causes lock ups at least for ssh login -Patch16: ecryptfs-utils-87-nozombies.patch +Patch916: %{name}-87-nozombies.patch # if we do not use zombies, we have to store passphrase in pam_data and init keyring later -Patch17: ecryptfs-utils-87-pamdata.patch +Patch917: %{name}-87-pamdata.patch # patch17 needs propper const on some places -Patch18: ecryptfs-utils-87-fixconst.patch +Patch918: %{name}-87-fixconst.patch -Patch19: ecryptfs-utils-87-syslog.patch +Patch919: %{name}-87-syslog.patch # if e-m-p fails, check if user is member of ecryptfs group -Patch21: ecryptfs-utils-96-groupcheck.patch -Patch22: ecryptfs-utils-99-selinux.patch +Patch921: %{name}-96-groupcheck.patch +Patch922: %{name}-99-selinux.patch # rhbz#868330 -Patch23: ecryptfs-utils-100-sudokeyring.patch +Patch923: %{name}-100-sudokeyring.patch # for e-u < 112 -Patch24: ecryptfs-utils-111-cve_2016_5224.patch +Patch924: %{name}-111-cve_2016_5224.patch # do not crash if no password is available #1339714 -Patch25: ecryptfs-utils-111-nopasswd.patch +Patch925: %{name}-111-nopasswd.patch + +### patches for general cleanup, should be kept and executed after all others +# allow building with -Werror +Patch999: %{name}-75-werror.patch -BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux, gettext BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel BuildRequires: trousers-devel nss-devel desktop-file-utils intltool @@ -83,11 +85,11 @@ kernel versions 2.6.19 and above. This package provides the mount helper and supporting libraries to perform key management and mount functions. -Install ecryptfs-utils if you would like to mount eCryptfs. +Install %{name} if you would like to mount eCryptfs. %package devel Summary: The eCryptfs userspace development package -Group: System Environment/Base +Requires: %{name} = %{version}-%{release} Requires: keyutils-libs-devel %{name} = %{version}-%{release} Requires: pkgconfig @@ -96,58 +98,61 @@ Userspace development files for eCryptfs. %package python Summary: Python bindings for the eCryptfs utils -Group: System Environment/Base -Requires: ecryptfs-utils %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} BuildRequires: python python-devel swig >= 1.3.31 %description python -The ecryptfs-utils-python package contains a module that permits +The %{name}-python package contains a module that permits applications written in the Python programming language to use -the interface supplied by the ecryptfs-utils library. +the interface supplied by the %{name} library. %prep %setup -q -%patch2 -p1 -b .nocryptdisks -%patch3 -p1 -b .fixsalt -%patch4 -p1 -b .splitnss -%patch5 -p1 -b .fixsigness -%patch8 -p1 -b .manfix -%patch9 -p1 -b .autoload -%patch11 -p1 -b .authconfig -#%patch12 -p1 -b .memcpyfix +%patch1 -p0 -b .openssl11 + +%patch92 -p1 -b .nocryptdisks +%patch93 -p1 -b .fixsalt +%patch94 -p1 -b .splitnss +%patch95 -p1 -b .fixsigness +%patch98 -p1 -b .manfix +%patch99 -p1 -b .autoload +%patch911 -p1 -b .authconfig +%patch914 -p1 -b .fixpamfork +%patch915 -p1 -b .fixexecgid +%patch916 -p1 -b .nozombies +%patch917 -p1 -b .pamdata +%patch918 -p1 -b .fixconst +%patch919 -p1 -b .syslog +%patch921 -p1 -b .groupcheck +%patch922 -p1 -b .selinux +%patch923 -p1 -b .sudokeyring +%patch924 -p1 -b .cve_2016_5224 +%patch925 -p1 -b .nopasswd + %patch999 -p1 -b .werror -%patch14 -p1 -b .fixpamfork -%patch15 -p1 -b .fixexecgid -%patch16 -p1 -b .nozombies -%patch17 -p1 -b .pamdata -%patch18 -p1 -b .fixconst -%patch19 -p1 -b .syslog -%patch21 -p1 -b .groupcheck -%patch22 -p1 -b .selinux -%patch23 -p1 -b .sudokeyring -%patch24 -p1 -b .cve_2016_5224 -%patch25 -p1 -b .nopasswd + +sed -i -r 's:^_syslog\(LOG:ecryptfs_\0:' src/pam_ecryptfs/pam_ecryptfs.c %build -%global _hardened_build 1 -export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits -Wno-unused" +# openssl 1.1 marks some functions as deprecated +export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits -Wno-unused -Wno-error=deprecated-declarations" + #we're modifing Makefile.am autoreconf -fiv %configure --disable-rpath --enable-tspi --enable-nss --enable-pkcs11-helper --enable-tests -make clean + #disable rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool -make %{?_smp_mflags} +%make_build %install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT -find $RPM_BUILD_ROOT/ -name '*.la' | xargs rm -f +%make_install +find $RPM_BUILD_ROOT/ -name '*.la' -print -delete rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name} -#install files Makefile forgot install -install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.png +#install files Makefile forgot to install +install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.png printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop printf "Icon=%{_datadir}/%{name}/ecryptfs-mount-private.png\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop @@ -195,12 +200,9 @@ if [ $1 -eq 0 ] ; then authconfig --disableecryptfs --update fi -%clean -rm -rf $RPM_BUILD_ROOT - %files -f %{name}.lang -%defattr(-,root,root,-) -%doc README COPYING AUTHORS NEWS THANKS +%license COPYING +%doc README AUTHORS NEWS THANKS %doc doc/ecryptfs-faq.html %doc doc/ecryptfs-pkcs11-helper-doc.txt %{_sbindir}/mount.ecryptfs @@ -260,23 +262,27 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/umount.ecryptfs.8.gz %files devel -%defattr(-,root,root,-) %{_libdir}/libecryptfs.so %{_libdir}/pkgconfig/libecryptfs.pc %{_includedir}/ecryptfs.h %files python -%defattr(-,root,root,-) -%dir %{python_sitelib}/ecryptfs-utils -%{python_sitelib}/ecryptfs-utils/libecryptfs.py -%{python_sitelib}/ecryptfs-utils/libecryptfs.pyc -%{python_sitelib}/ecryptfs-utils/libecryptfs.pyo -%dir %{python_sitearch}/ecryptfs-utils -%{python_sitearch}/ecryptfs-utils/_libecryptfs.so.0 -%{python_sitearch}/ecryptfs-utils/_libecryptfs.so.0.0.0 -%{python_sitearch}/ecryptfs-utils/_libecryptfs.so +%dir %{python_sitelib}/%{name} +%{python_sitelib}/%{name}/libecryptfs.py +%{python_sitelib}/%{name}/libecryptfs.pyc +%{python_sitelib}/%{name}/libecryptfs.pyo +%dir %{python_sitearch}/%{name} +%{python_sitearch}/%{name}/_libecryptfs.so.0 +%{python_sitearch}/%{name}/_libecryptfs.so.0.0.0 +%{python_sitearch}/%{name}/_libecryptfs.so %changelog +* Sun Jun 04 2017 Raphael Groner - 111-5 +- add patch for openssl 1.1.x, rhbz#1384023 +- mark patches of upstream and downstream +- fix legacy patches to still work, drop obsolete patch for memcpyfix +- general modernization according to guidelines, drop obsolete commands + * Fri Feb 10 2017 Fedora Release Engineering - 111-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild @@ -287,27 +293,27 @@ rm -rf $RPM_BUILD_ROOT - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages * Fri Jul 15 2016 Michal Hlavinka - 111-1 -- ecryptfs-utils updated to 111 +- %{name} updated to 111 - fix ecryptfs-setup-swap improperly configures encrypted swap when using GPT partitioning on a NVMe or MMC drive (CVE-2016-6224, rhbz#1356828) * Mon Feb 29 2016 Michal Hlavinka - 110-1 -- ecryptfs-utils updated to 110 +- %{name} updated to 110 * Wed Feb 03 2016 Fedora Release Engineering - 109-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Tue Jan 26 2016 Michal Hlavinka - 109-1 -- ecryptfs-utils updated to 109 +- %{name} updated to 109 * Tue Aug 11 2015 Michal Hlavinka - 108-1 -- ecryptfs-utils updated to 108 +- %{name} updated to 108 * Wed Jun 17 2015 Fedora Release Engineering - 106-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Mon Mar 30 2015 Michal Hlavinka - 106-1 -- ecryptfs-utils updated to 106 +- %{name} updated to 106 * Mon Jan 26 2015 Michal Hlavinka - 104-3 - fix pam sigsegv (#1184645) @@ -316,7 +322,7 @@ rm -rf $RPM_BUILD_ROOT - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Wed Jul 23 2014 Michal Hlavinka - 104-1 -- ecryptfs-utils updated to 104 +- %{name} updated to 104 * Sat Jun 07 2014 Fedora Release Engineering - 103-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild @@ -331,10 +337,10 @@ rm -rf $RPM_BUILD_ROOT - make executables hardened (#965505) * Wed Jan 30 2013 Michal Hlavinka - 103-1 -- ecryptfs-utils updated to 103 +- %{name} updated to 103 * Mon Oct 29 2012 Michal Hlavinka - 101-1 -- ecryptfs-utils updated to 101 +- %{name} updated to 101 * Thu Oct 25 2012 Michal Hlavinka - 100-6 - home migration did not work under sudo (#868330) @@ -352,10 +358,10 @@ rm -rf $RPM_BUILD_ROOT - fix Werror messages in new build environment * Fri Aug 03 2012 Michal Hlavinka - 100-1 -- ecryptfs-utils updated to 100 +- %{name} updated to 100 * Tue Jul 24 2012 Michal Hlavinka - 99-1 -- ecryptfs-utils updated to 99 +- %{name} updated to 99 - fixes: suid helper does not restrict mounting filesystems with nosuid, nodev leading to possible privilege escalation (CVE-2012-3409) @@ -363,7 +369,7 @@ rm -rf $RPM_BUILD_ROOT - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Mon Jun 25 2012 Michal Hlavinka - 97-1 -- ecryptfs-utils updated to 97 +- %{name} updated to 97 * Mon Jun 04 2012 Michal Hlavinka - 96-3 - for file name encryption support check, module must be loaded already @@ -372,7 +378,7 @@ rm -rf $RPM_BUILD_ROOT - when ecryptfs-mount-fails, check if user is member of ecryptfs group * Mon Feb 20 2012 Michal Hlavinka - 96-1 -- ecryptfs-utils updated to 96 +- %{name} updated to 96 * Mon Feb 13 2012 Michal Hlavinka - 95-3 - blowfish and twofish support check did not work with on 3.2.x kernels (#785036) @@ -445,7 +451,7 @@ rm -rf $RPM_BUILD_ROOT - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Tue Feb 01 2011 Michal Hlavinka - 85-1 -- ecryptfs-utils updated to 85 +- %{name} updated to 85 * Tue Jan 11 2011 Dan HorĂ¡k - 84-3 - fix build on arches where char is unsigned by default @@ -454,7 +460,7 @@ rm -rf $RPM_BUILD_ROOT - fix unsigned < 0 test (#664474) * Mon Dec 20 2010 Michal Hlavinka - 84-1 -- ecryptfs-utils updated to 84 +- %{name} updated to 84 * Wed Sep 29 2010 jkeating - 83-9 - Rebuilt for gcc bug 634757